Hi I just noticed that exec-shield looks broken in newer kernels. All test are on i686 with disabled prelinking and kernel.exec-shield = 1 kernel.exec-shield-randomize = 1 vm.legacy_va_layout = 0 A cat /proc/self/maps looks like this: 2.6.8-1.521smp (FC 2): 00cbf000-00cd4000 r-xp 00000000 03:02 327682 /lib/ld-2.3.3.so 00cd4000-00cd5000 r--p 00014000 03:02 327682 /lib/ld-2.3.3.so 00cd5000-00cd6000 rw-p 00015000 03:02 327682 /lib/ld-2.3.3.so 00dad000-00ec3000 r-xp 00000000 03:02 229387 /lib/tls/libc-2.3.3.so 00ec3000-00ec4000 r--p 00116000 03:02 229387 /lib/tls/libc-2.3.3.so 00ec4000-00ec7000 rw-p 00117000 03:02 229387 /lib/tls/libc-2.3.3.so 00ec7000-00ec9000 rw-p 00ec7000 00:00 0 08048000-0804c000 r-xp 00000000 03:02 459964 /bin/cat 0804c000-0804d000 rw-p 00003000 03:02 459964 /bin/cat 09dc8000-09de9000 rw-p 09dc8000 00:00 0 f6dc4000-f6dc5000 r--p 00b1e000 03:02 475909 /usr/lib/locale/locale-archive f6dc5000-f6df8000 r--p 00aea000 03:02 475909 /usr/lib/locale/locale-archive f6df8000-f6ff8000 r--p 00000000 03:02 475909 /usr/lib/locale/locale-archive f6ff8000-f6ff9000 rw-p f6ff8000 00:00 0 feee0000-ff000000 rw-p feee0000 00:00 0 ffffd000-ffffe000 ---p 00000000 00:00 0 This is the familiar behavior. Only the exec mapping have the x bit and they are randomized. The shared libs are placed under the binary. 2.6.9-1.667smp (FC 3): 00111000-00112000 r-xp 00a46000 03:01 640087 /usr/lib/locale/locale-archive 00112000-00113000 r-xp 00a99000 03:01 640087 /usr/lib/locale/locale-archive 002ef000-00304000 r-xp 00000000 03:01 704213 /lib/ld-2.3.3.so 00304000-00305000 r-xp 00014000 03:01 704213 /lib/ld-2.3.3.so 00305000-00306000 rwxp 00015000 03:01 704213 /lib/ld-2.3.3.so 00485000-00685000 r-xp 00000000 03:01 640087 /usr/lib/locale/locale-archive 0079c000-008bd000 r-xp 00000000 03:01 704943 /lib/tls/libc-2.3.3.so 008bd000-008bf000 r-xp 00120000 03:01 704943 /lib/tls/libc-2.3.3.so 008bf000-008c1000 rwxp 00122000 03:01 704943 /lib/tls/libc-2.3.3.so 008c1000-008c3000 rwxp 008c1000 00:00 0 009e8000-009e9000 rwxp 009e8000 00:00 0 00d8b000-00dbd000 r-xp 00a12000 03:01 640087 /usr/lib/locale/locale-archive 00f85000-00fb9000 r-xp 00a64000 03:01 640087 /usr/lib/locale/locale-archive 08048000-0804c000 r-xp 00000000 03:01 441615 /bin/cat 0804c000-0804d000 rwxp 00003000 03:01 441615 /bin/cat 0804d000-0806e000 rwxp 0804d000 00:00 0 feffe000-ff000000 rw-p feffe000 00:00 0 ffffe000-fffff000 ---p 00000000 00:00 0 Here all mappings except the stack have the x bit and they are randomized. I think this will cause that the local-archive mappings are placed under the binary too. 2.6.9-1.678_FC3 (FC 3): 08048000-0804c000 r-xp 00000000 03:01 6296799 /bin/cat 0804c000-0804d000 rwxp 00003000 03:01 6296799 /bin/cat 0804d000-0806e000 rwxp 0804d000 00:00 0 f6c37000-f6c38000 r-xp 00b71000 03:01 27280385 /usr/lib/locale/locale-archive f6c38000-f6c6c000 r-xp 00b3c000 03:01 27280385 /usr/lib/locale/locale-archive f6c6c000-f6c6d000 r-xp 00b1e000 03:01 27280385 /usr/lib/locale/locale-archive f6c6d000-f6c9f000 r-xp 00aea000 03:01 27280385 /usr/lib/locale/locale-archive f6c9f000-f6e9f000 r-xp 00000000 03:01 27280385 /usr/lib/locale/locale-archive f6e9f000-f6ea0000 rwxp f6e9f000 00:00 0 f6ea0000-f6fc1000 r-xp 00000000 03:01 31481922 /lib/tls/libc-2.3.3.so f6fc1000-f6fc3000 r-xp 00120000 03:01 31481922 /lib/tls/libc-2.3.3.so f6fc3000-f6fc5000 rwxp 00122000 03:01 31481922 /lib/tls/libc-2.3.3.so f6fc5000-f6fc7000 rwxp f6fc5000 00:00 0 f6fe9000-f6ffe000 r-xp 00000000 03:01 16798526 /lib/ld-2.3.3.so f6ffe000-f6fff000 r-xp 00014000 03:01 16798526 /lib/ld-2.3.3.so f6fff000-f7000000 rwxp 00015000 03:01 16798526 /lib/ld-2.3.3.so feffe000-ff000000 rw-p feffe000 00:00 0 ffffe000-fffff000 ---p 00000000 00:00 0 Here all mappings including the executable mapping are placed top down. Only the stack doesn't have the x bit and there is no randomization at all. I think here is exec-shield mostly not working (except the non-exec stack). With a segment based executable protection (no NX bit) the addressspace is up to 0xf7000000 executable. utz
